Hello Stephen
I do not know if I understood well, but if you want to disable this
alert, you only need to add the following block to your file local_rules.xml
<rule id="5104" level="0" overwrite="yes">
<if_sid>5100</if_sid>
<regex>Promiscuous mode enabled|</regex>
<regex>device \S+ entered promiscuous mode</regex>
<description>Interface entered in promiscuous(sniffing) mode.
</description>
<group>promisc,</group>
</rule>
This block will overwrite the official 5104 rule.
If you want to do that, you have to be sure, because you are changing the
level value of the event in order to dismiss it. Could be possible that
other similar events (i.e. a malicious script which change the network
interface to promiscuous mode), then the event will no be registered as an
alert too.
Hope it helps.
Best regards,
On Friday, October 27, 2017 at 7:11:26 AM UTC-7, Stephen LuShing wrote:
>
> We recently been getting the following message from OSSEC:
>
>
>
> OSSEC HIDS Notification.
>
> 2017 Oct 27 09:40:01
>
> Received From: (lxbandt2) 10.8.6.31->/var/log/messages
>
> Rule: 5104 fired (level 8) -> "Interface entered in promiscuous(sniffing)
> mode."
>
> Portion of the log(s):
>
> Oct 27 09:39:59 lxbandt2 kernel: device eth10 entered promiscuous mode
>
> --END OF NOTIFICATION
>
> Question
>
>
>
> Is there a way to ignore this message (other that are similar) as we
> determine that this is not a issue for the server (It seems like Oracle is
> running a process)
>
>
>
> If this is possible to whitelist or somehow have OSSEC ignore this
> specific warning. If so – where do we code this.
>
> I am running OSSEC 2.8.1 on the client and server.
>
>
>
> Thanks in advance
>
>
>
> Stephen LuShing
>
> Hofstra University - Open System
>
> 125 Hofstra University
>
> McEwen Hall - Room 208
>
> Hempstead, NY 11549
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
